I’ve been playing around with let’s encrypt and the official client available on github.

I have to admit the client is great to automatize the process and with some tweaking can be also applied to nginx. But it’s slow and you need to have python installed. If you use apache, it will works flawlessly and is very easy to deal with.

I decided to look for some alternative and I stumbled upon @letsencrypt.sh

letsencrypt.sh

If you used the official client to generate some certificate, you should do the procedure to import your account private key and import your certificate before trying anything. This is well explained in the readme of the project.

Considering that step done I’ll give you what I’ve done to make it work and automatically renew my certs. I also consider you have cloned the repository.

Set letsencrypt.sh

The first thing is to create 2 directories, one that will hold the configuration and the certificates generate and the other to hold the challenge keys used by the protocol to verify the ownership of the domain.

Directories

mkdir -p /etc/letsencrypt.sh/
mkdir -p /var/www/letsencrypt/.well-known/acme-challenge/

You should now move the folder certs, the files domains.txt, config.sh to /etc/letsencrypt.sh

Configuration

I set up my configuration file this way:

#!/bin/bash

########################################################
# This is the config file for letsencrypt.sh #
# #
# This file is looked for in the following locations: #
# $SCRIPTDIR/config.sh (next to this script) #
# ${HOME}/.letsencrypt.sh/config.sh (in user home) #
# /usr/local/etc/letsencrypt.sh/config.sh #
# /etc/letsencrypt.sh/config.sh #
# ${PWD}/config.sh (in current working-directory) #
# #
# Default values of this config are in comments #
########################################################

# Path to certificate authority (default: https://acme-v01.api.letsencrypt.org/directory)
#CA="https://acme-v01.api.letsencrypt.org/directory"

# Path to license agreement (default: https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf)
#LICENSE="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf"

# Base directory for account key, generated certificates and list of domains (default: $SCRIPTDIR -- uses config directory if undefined)
#BASEDIR=$SCRIPTDIR

# Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: $BASEDIR/.acme-challenges)
WELLKNOWN="/var/www/letsencrypt/.well-known/acme-challenge/"

# Location of private account key (default: $BASEDIR/private_key.pem)
#PRIVATE_KEY="${BASEDIR}/private_key.pem"

# Default keysize for private keys (default: 4096)
KEYSIZE="4096"

# Path to openssl config file (default: <unset> - tries to figure out system default)
#OPENSSL_CNF=

# Program or function called in certain situations
#
# After generating the challenge-response, or after failed challenge (in this case altname is empty)
# Given arguments: clean_challenge|deploy_challenge altname token-filename token-content
#
# After successfully signing certificate
# Given arguments: deploy_cert domain path/to/privkey.pem path/to/cert.pem path/to/fullchain.pem
#
# BASEDIR and WELLKNOWN variables are exported and can be used in an external program
# default: <unset>
#HOOK=

# Minimum days before expiration to automatically renew certificate (default: 14)
#RENEW_DAYS="14"

# Regenerate private keys instead of just signing new certificates on renewal (default: no)
#PRIVATE_KEY_RENEW="no"

# E-mail to use during the registration (default: <unset>)
[email protected]

Feel free to modify it for your need, just keep in mind the use of the WELLKNOWN variable for the path of the challenge.

Nginx

Now the last step is to add a little snippet of code in your nginx domains. The basic idea is to redirect the path for the challenge to the directory we created.

location ^~ /.well-known/acme-challenge {
allow all;
root /var/www/letsencrypt;
}

The allow all is there because I have a rule that forbid the access to any hidden file/directory. This way, this directory is accessible.

And now you’re set, just follow the readme to register new domain, they should get validated without problem. Also, don’t forget to reload your nginx after adding this snippet to your configuration.